Is this class the key to filling cybersecurity roles?
Industry and students are energised by a new hands-on approach to learning
At a time when Australia faces a surge in cyber attacks, the country is also experiencing a severe shortage of cybersecurity skills that could take years to fill, according to industry experts.
One woman working to meet the demand for skilled security experts is Yenni Tim, a lecturer in the school of information systems and technology management at UNSW Business School. Tim, who designed the cybersecurity course at the university, wanted to make the classes more relevant and enjoyable for students.
“I was thinking about how to teach such a technical yet broad and abstract subject using the conventional textbook approach,” explains Tim. “You begin with all the definitions and by the end of chapter one, the students are either intimidated by the subject or they have fallen asleep.”
Tim decided to bring the real world into the classroom via a new methodology developed by the Business School’s Digital Enablement Research Network (DERN) that aims to bridge the gap between research and practice.
The Sandbox Method, as it was dubbed by DERN, is a translational, multidisciplinary research methodology for co-creating business and social impact. Researchers work closely with practitioners to identify issues of common interest and find solutions for them. Tim thought the methodology would be perfect for her classes.
'They made us think and the learning became more like a two-way thing. It was a win-win situation’
JAY HIRA
Context and issues
The insurance giant IAG was the first business to partner with Tim in the course. She initially approached the company as a source for guest lecturers on cybersecurity, but a more ambitious idea emerged that had the potential to benefit students, lecturers and IAG.
“Most of the time when we teach, we base it on an established curriculum, with concepts drawn from books – and then we might introduce case studies,” says Tim.
“But Sandbox reverses the process by starting with a practical problem. We bring in an organisation to present the issue and give students the tools and support to enable them to solve this real-world problem.”
This year, accounting and business advisory giant EY has become involved. The company’s senior manager for cybersecurity, Jay Hira, says the Sandbox Method helps students understand the kinds of problems faced by industry.
“We provide the context and the issues; then it’s up to the students to fix them,” says Hira, who was one of 10 external consultants who worked with the students. “It requires complex thinking through the whole lifecycle of the problem.”
Hira was impressed with the students’ high-level thinking and the questions they asked.
“It’s easy when you are talking to other executives and technicians to slip into using more and more technical jargon. With the students we had to break it down into simple terms, which helps to clarify your thinking,” he says.
“They made us think and the learning became more like a two-way thing. It was a win-win situation.”
'Often the students are good but they don’t know enough about the cybersecurity industry or have enough experience'
YENNI TIM
Demystify and dispel
During the course, students were guided through a cybersecurity problem; examined different cybersecurity roles; were introduced to cyber security frameworks and participated in role-play exercises, such as posing as executives and consultants to discuss strategy and argue for security funding from a board.
According to Tim, the Sandbox Method has transformed the course.
“Cybersecurity used to have a reputation for being a very difficult course and [some] students doubted whether they would be capable of handling this kind of topic. But the feedback is that this model has helped them learn. The attendance rate is fantastic, students are very curious, asking EY a lot of questions and, using Microsoft Teams software, engagement happens beyond the classroom. It's really amazing," she says.
In an environment where companies are fighting for cybersecurity talent, EY has also benefited, adds Tim.
“We don’t have enough students going into this field. Often the students are good but they don’t know enough about the cybersecurity industry or have enough experience. For a company to have the opportunity to design the course content and engage with students over a period of time and demystify cybersecurity and dispel some myths is huge.”
EY has taken on three UNSW graduates and three vacation work students as a result of the course, says Hira.
Some of the student presentations at the end of the course really caught EY’s attention, he says.
“They were so close to what we would present to clients, it made me feel like I needed to go back to university.”
Tim says the Sandbox for Education model is gaining currency at UNSW as word has spread among lecturers about its efficacy.
“Colleagues have been asking how to implement it and I am now devising simple guidelines on how to introduce the Sandbox model into the classroom,” she says.
“If I could develop simulation tools – we created one last year to look at phishing emails – then we could deliver more interactive content to students.”
In the long term, Tim sees this education model applied to companies to improve awareness and security.
“At the moment, cybersecurity training for employees often involves online modules that are mandatory and rather mindless. If they have a simulation approach it makes them see the relevance of the problem. This new mindset needs to be taken up by organisations; Sandbox offers a very attractive way to improve how people teach and learn.”